Cannot change settings, password required, but no accounts have a password (oauth)

[EqualMarcus]

Description:

We use Keycloak OAuth.

I cannot change any settings without a password, but my account does not have a password.

This has been reported as an issue in the Forums, it's been this way likely forever.

Steps to reproduce:

1. Set up Rocket Chat with OAuth system
2. Log into Rocket Chat as an admin
3. Attempt to edit any admin settings, and press save changes

Expected behavior:

To be able to change administrator settings

Actual behavior:

Cannot change settings without entering a password that doesn't exist

Server Setup Information:

• Version of Rocket.Chat Server: 6.6.6
• Operating System: Linux
• Deployment Method: docker
• Number of Running Instances: 1
• DB Replicaset Oplog: ?
• NodeJS Version: ?
• MongoDB Version: 4.4

Client Setup Information

• Desktop App or Browser Version: 3.9.14 desktop app
• Operating System: macOS

Additional context

N/A

Relevant logs:

N/A

[reetp]

Not sure on the answer to this one but will mark it to be looked at.

It hasn't been around forever - there used to be a time when a password for any admin function was not required (and no, I never was happy about this being enforced).

I presume you must have given a password when you originally set this up, prior to setting up the KeyCloak OAuth?

Wondering why there appears to be no fallback.

[EqualMarcus]

@reetp Hi!

I've figured out how to resolve this. I set up 2FA, which then replaced the Password prompt with a OTP prompt, which enabled me to proceed with changing settings.

This isn't clear tho, and could do with a prompt. I didn't need a password to set up 2FA, which in some respect is a security hole?

All accounts in our organisation are connected to OAuth using Keycloak, so nobody has a password!